Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to GateKeeper - bypass or not bypass?
Similar to GateKeeper - bypass or not bypass? (20)
More from Csaba Fitzl
More from Csaba Fitzl (6)
Recently uploaded
Recently uploaded (20)
GateKeeper - bypass or not bypass?
- 1. GateKeeper Bypass or not bypass? Csaba Fitzl Twitter: @theevilbit
- 2. whoami • red teamer, ex blue teamer • kex - kernel exploitation python toolkit • recent macOS research • husband, father • hiking • yoga
- 3. the goal Understand how GateKeeper works and when it is invoked, show ways to bypass / avoid it.
- 4. Mojave
- 5. tests gone wrong • while working on something: • create pkg/mach-o file unsigned locally and run • download a unsigned pkg/mach-o and run it from Terminal • never got a GateKeeper popup • what? why?
- 6. experiment prep • create a meterpreter mach-o • serv via HTTP • download • ensure quarantine flag is present
- 7. experiment #1 • double click • use ‘open’ command
- 8. experiment #2 • add executable rights • run • enjoy your shelz
- 9. experiment #3 • create plist file • load it • enjoy your shelz
- 10. experiment #4 • create code that wraps it • compile, run • enjoy your shelz
- 11. what? • is experiment 2-4 a bypass or not? • seemed to be well known, but even Patrick Wardle was unsure: • let’s ask Apple!! • not a bypass, expected behaviour
- 12. conclusion Gatekeeper only verifies executables, which are run with the `open` command or the user double clicks (=LaunchServices) on first run. It won’t verify files, that are executed through other means like, directly executing a binary `./myapp` regardless of the quarantine attribute. If you can place a plist file inside LaunchAgents/LaunchDaemons, the command inside will also be executed. Although it’s not clearly stated everywhere, but I think the overall goal is prevent execution when users double-click applications downloaded from the Internet. If you go and grant execution rights, I think Apple assumes ‘advanced’ users in that case and will not deal with it. This is my take on it.
- 13. i still want a bypass / RCE • plist file inside LaunchAgents will be loaded regardless of the ‘q’ flag • idea: let’s drop a plist file there during download • Safari auto unzips files (default) - (protip: TURN THIS FEATURE OFF!!) • let’s try to redirect files • after plenty of hours, days, weeks - no luck, no escape from the ‘Downloads’ folder
- 14. • if we can’t do it, let’s ask the user to do it :D • how do you install apps on macOS? D&D. • let’s create something similar
- 15. creating your DMG • replace the symlink on the right • add an icon to your plist file (Get Info) • arrange your DMG layout • result:
- 16. demo time
- 17. Catalina
- 18. changes • on top of Mojave, GK is also invoked if • executed via ‘exec’, etc… (on first run) • malware check on *every* execution (not just 1st run) • the previous experiments won’t work • although it was well known to everyone (bypass GK via ‘exec’), no one raised it to Apple, likely only me, thus:
- 19. yet to be fixed - plist • plist files are still loaded regardless of the ‘q’ attribute • you can put shell scripts inside • D&D trick is killed in Catalina (user’s can’t D&D to symlinks pointing to LaunchAgents folder)
- 20. bring your own VM :) • Qemu is supported on macOS, signed • use that to run a VM (cryptominer malware) • not useful if you need to access user data • useful if you only need CPU power
- 21. ?
- 22. Credits / References • Icons made by Freepik, Prosymbols, good-ware from FlatIcon • https://developer.apple.com/videos/play/wwdc2019/701 • https://blog.malwarebytes.com/mac/2019/06/new-mac-cryptominer- malwarebytes-detects-as-bird-miner-runs-by-emulating-linux/ • https://objective-see.com/blog/blog_0x32.html • https://speakerdeck.com/patrickwardle/shmoocon-2016-gatekeeper- exposed-come-see-conquer